I'm trying to deploy a simple Wordpress website with Nginx as reverse proxy but right after I installed SSl (Let's Encrypto Certbot), I can no longer access the default wordpress install page, instead I'm getting browser's 'ERR_TOO_MANY_REDIRECTS'.
The Nginx config is set up to redirect all traffic from http to https and also from non-www to www.
Here's how the config file looks like:
upstream site1-php-handler {
server unix:/var/run/php/php-fpm.sock;
}
server {
server_name example.com;
return 301 https://www.example.com$request_uri;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
root /var/www/html/example.com;
server_name www.example.com;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass site1-php-handler;
}
access_log /var/log/nginx/example_access.log;
error_log /var/log/nginx/example_error.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name example.com;
listen 80;
return 404; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name www.example.com;
listen 80;
return 404; # managed by Certbot
}
Nah I know how to do that. I was just taking your permission.
And I don't want to expose the domain here as I haven't set up the wordpress yet. Someone getting hand to the first wordpress setup might set it up on their own. Don't want to go with the hassle of removing my app and doing everything all over agian.
Oh, you are behind Cloudflare CDN. Check the redirect settings you have there. It looks like you are redirecting https to themselves. Usually only http to https redirects are done there but you have that setup nice in nginx so maybe don't need any redirects in Cloudflare
Hey it was set to default settings. But then I have another website there in CF and followed its settings and enabled http to https. And now it's working. Weird.
If you have gotten a public certificate issued, your domain has already been exposed as all publicly trusted certificates are required to be submitted to multiple certificate transparancy logs, which are also public. This is actually a common and known attack vector: scriptkiddies are using certificate transparancy logs to check for improperly configured sites, such as Wordpress sites not yet set up.
As you already have a certificate issued, your site is already at risk!
Oh damn. But as soon as I had access to the wordpress page, I set it up right away. I guess it won't be an issue now. But ey thanks for the info. Learnt a new thing today.
@MikeMcQ however, I had a question, a noob one though lol. Now that CF's redirect is enabled from http to https, do I remove all those Certbot certificates and if blocks from my config above?
You should, IMO, at least check the webserver log files for access attempts from malicious scripts. That said, such things are outside of the scope of this Community.
You need certs for HTTPS connections between the Cloudflare CDN Edge and your origin server.
As for the HTTP server blocks (port 80), I would leave them as is. Cloudflare may not use them (as currently configured) but I'm not sure if certbot will like them omitted. They might also be handy if you change your mind about Cloudflare CDN or its config.
Another option is to use the Cloudflare Origin CA. If you are committed to using CF CDN you could eliminate certbot and Let's Encrypt certs for your origin server. You can read more about that at Cloudflare (below). It's a tradeoff between simplicity and flexibility, mostly.
